Issue

Server Setup Information:

• Did you test in newest Wekan?: Yes
• Wekan version: 1.84
• Operating System: Ubuntu
• Deployment Method(snap/docker/sandstorm/mongodb bundle/source): Snap
• Authentication method

Problem description:
Steps to reproduce

• LDAP authentication is configured
• Registration is disabled (in the admin panel)
• A LDAP user tries to connect for the first time

The error below seems to come from the registration page (invitation code blank) whereas the user just tried to login for the first time with LDAP.

logs

wekan.wekan[16543]: [INFO] Init LDAP login "userLoginLDAP"
wekan.wekan[16543]: [WARN] Lookup for unset variable: INTERNAL_LOG_LEVEL
wekan.wekan[16543]: [INFO] Init setup
wekan.wekan[16543]: [INFO] Connecting "ldap://ldap:389"
wekan.wekan[16543]: [DEBUG] connectionOptions{ url: 'ldap://ldap:389',
wekan.wekan[16543]:   timeout: 10000,
wekan.wekan[16543]:   connectTimeout: 10000,
wekan.wekan[16543]:   idleTimeout: 10000,
wekan.wekan[16543]:   reconnect: true,
wekan.wekan[16543]:   log:
wekan.wekan[16543]:    Logger {
wekan.wekan[16543]:      domain: null,
wekan.wekan[16543]:      _events: {},
wekan.wekan[16543]:      _eventsCount: 0,
wekan.wekan[16543]:      _maxListeners: undefined,
wekan.wekan[16543]:      _level: 30,
wekan.wekan[16543]:      streams: [ [Object] ],
wekan.wekan[16543]:      serializers: null,
wekan.wekan[16543]:      src: false,
wekan.wekan[16543]:      fields:
wekan.wekan[16543]:       { name: 'ldapjs',
wekan.wekan[16543]:         component: 'client',
wekan.wekan[16543]:         hostname: 'WEK-VM',
wekan.wekan[16543]:         pid: 17000 } } }
wekan.wekan[16543]: [INFO] LDAP connected
wekan.wekan[16543]: [INFO] Binding UserDN "CN=*****,OU=*****,OU=****,OU=****,dc=***,dc=***"
wekan.wekan[16543]: [INFO] Searching user "userLoginLDAP"
wekan.wekan[16543]: [DEBUG] searchOptions {
wekan.wekan[16543]:   "filter": "(&(samaccountname=userLoginLDAP))",
wekan.wekan[16543]:   "scope": "sub",
wekan.wekan[16543]:   "sizeLimit": 0
wekan.wekan[16543]: }
wekan.wekan[16543]: [DEBUG] BaseDN "dc=***,dc=***"
wekan.wekan[16543]: [INFO] Search result count 1
wekan.wekan[16543]: [INFO] Authenticating "CN=Full NAME,OU=****,OU=****,OU=*****,dc=***,dc=***"
wekan.wekan[16543]: [INFO] Authenticated "CN=Full NAME,OU=****,OU=****,OU=*****,dc=***,dc=***"
wekan.wekan[16543]: [DEBUG] Identifying user with: samaccountname
wekan.wekan[16543]: [INFO] Querying user
wekan.wekan[16543]: [DEBUG] userQuery {
wekan.wekan[16543]:   "services.ldap.id": "************"
wekan.wekan[16543]: }
wekan.wekan[16543]: [DEBUG] userQuery {
wekan.wekan[16543]:   "username": "userLoginLDAP"
wekan.wekan[16543]: }
wekan.wekan[16543]: [INFO] User does not exist, creating "userLoginLDAP"
wekan.wekan[16543]: [DEBUG] Identifying user with: samaccountname
wekan.wekan[16543]: [DEBUG] Identifying user with: samaccountname
wekan.wekan[16543]: [DEBUG] New user data {
wekan.wekan[16543]:   "username": "userLoginLDAP",
wekan.wekan[16543]:   "email": "[email protected]"
wekan.wekan[16543]: }
wekan.wekan[16543]: [ERROR] Error creating user {
wekan.wekan[16543]:   "isClientSafe": true,
wekan.wekan[16543]:   "error": "error-invitation-code-blank",
wekan.wekan[16543]:   "reason": "The invitation code is required",
wekan.wekan[16543]:   "message": "The invitation code is required [error-invitation-code-blank]",
wekan.wekan[16543]:   "errorType": "Meteor.Error"
wekan.wekan[16543]: }
wekan.wekan[16543]: [INFO] Idle
wekan.wekan[16543]: [INFO] Disconecting
wekan.wekan[16543]: [INFO] Closed

Hello, I have installed and configured the snap for wekan before a few days.

It all works fine except from LDAP.
There I get to following error

2019-06-25T05:43:38Z wekan.wekan[32431]: [INFO] Init LDAP login "test\lemoneistee"
2019-06-25T05:43:38Z wekan.wekan[32431]: [WARN] Lookup for unset variable: INTERNAL_LOG_LEVEL
2019-06-25T05:43:38Z wekan.wekan[32431]: [WARN] Lookup for unset variable: LDAP_USER_ATTRIBUTES
2019-06-25T05:43:38Z wekan.wekan[32431]: [INFO] Init setup
2019-06-25T05:43:38Z wekan.wekan[32431]: [INFO] Connecting "ldap://192.168.10.1:389"
2019-06-25T05:43:38Z wekan.wekan[32431]: [DEBUG] connectionOptions{ url: 'ldap://192.168.10.1:389',
2019-06-25T05:43:38Z wekan.wekan[32431]: timeout: 10000,
2019-06-25T05:43:38Z wekan.wekan[32431]: connectTimeout: 10000,
2019-06-25T05:43:38Z wekan.wekan[32431]: idleTimeout: 10000,
2019-06-25T05:43:38Z wekan.wekan[32431]: reconnect: true,
2019-06-25T05:43:38Z wekan.wekan[32431]: log:
2019-06-25T05:43:38Z wekan.wekan[32431]: Logger {
2019-06-25T05:43:38Z wekan.wekan[32431]: domain: null,
2019-06-25T05:43:38Z wekan.wekan[32431]: _events: {},
2019-06-25T05:43:38Z wekan.wekan[32431]: _eventsCount: 0,
2019-06-25T05:43:38Z wekan.wekan[32431]: _maxListeners: undefined,
2019-06-25T05:43:38Z wekan.wekan[32431]: _level: 30,
2019-06-25T05:43:38Z wekan.wekan[32431]: streams: [ [Object] ],
2019-06-25T05:43:38Z wekan.wekan[32431]: serializers: null,
2019-06-25T05:43:38Z wekan.wekan[32431]: src: false,
2019-06-25T05:43:38Z wekan.wekan[32431]: fields:
2019-06-25T05:43:38Z wekan.wekan[32431]: { name: 'ldapjs',
2019-06-25T05:43:38Z wekan.wekan[32431]: component: 'client',
2019-06-25T05:43:38Z wekan.wekan[32431]: hostname: 'wekan',
2019-06-25T05:43:38Z wekan.wekan[32431]: pid: 805 } } }
2019-06-25T05:43:38Z wekan.wekan[32431]: [INFO] LDAP connected
2019-06-25T05:43:38Z wekan.wekan[32431]: [ERROR] InvalidCredentialsError: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
2019-06-25T05:43:38Z wekan.wekan[32431]:
2019-06-25T05:43:48Z wekan.wekan[32431]: [INFO] Idle
2019-06-25T05:43:48Z wekan.wekan[32431]: [INFO] Disconecting
2019-06-25T05:43:48Z wekan.wekan[32431]: [INFO]

I have read that 52e means wrong password, but the password is 100% correct. I have set up ldap on some other ubuntu server and it works fine with the same user and password (and of curse the user is in the right basedn)

Here are my current configurations

ldap-enable: true ldap-port: 389 ldap-host: AD01 ldap-basedn: 192.168.10.1 ldap-reconnect: true ldap-authentication: true ldap-authentication-userdn: ldap ldap-authentication-password: example ldap-background-sync: true ldap-user-authentication: true ldap-username-field: sAMAccountName default-authentication-method: ldap ldap-default-domain: test.local

Hi Team,

When debugging ldap, I use debug mode with environment variables :

• LDAP_LOG_ENABLED=true
• LDAP_INTERNAL_LOG_LEVEL=debug

It worked fine until 2.42, since 2.43 It doesn't anymore, debug and login.

• 2.42 = ok, ldap logins succeed, debug is shown.
• 2.43 = nok, ldap logins fails, no debug is shown, on web interface we got "User has no password set"
• 2.44 = same
• 2.45 = same
• latest = same

Any ideas to provide more logs/infos ?

Thank you

once the LDAP Stuff works ...

• How to disable the Password Login or
• How to set LDAP Logon to default ?

Issue

Server Setup Information:

• Did you test in newest Wekan?: most recent docker image from quay.io/wekan/wekan
• For new Wekan install, did you configure root-url correctly https://github.com/wekan/wekan/wiki/Settings ?
• Wekan version: v1.69.0
• Operating System: Univention Corporate Server (debian 9)
• Deployment Method(snap/docker/sandstorm/mongodb bundle/source): docker
• Http frontend if any (Caddy, Nginx, Apache, see config examples from Wekan GitHub wiki first): Apache 2 reverse proxy
• Node Version: v8.12.0
• MongoDB Version: docker mongo:3.2.21
• ROOT_URL environment variable http(s)://(subdomain).example.com(/suburl): https://192.168.178.251/wekan

Problem description:
LDAP authentication is configured and works.
On a fresh DB and Wekan container started with docker-compose the user can login. The user account is created. Email address is synched.
The full name stayes empty! I tried to upload a screenshot but I was not able to.

I tried both settings for the mapping:
LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mailPrimaryAddress":"email"}
LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mailPrimaryAddress":"email"}

Log output on docker show this:
wekan-app | [INFO] User does not exist, creating "firstname.lastname"
wekan-app | [DEBUG] Identifying user with: uid
wekan-app | [DEBUG] Mapping field cn -> name
wekan-app | [DEBUG] user.name changed to: Firstname Lastname
wekan-app | [DEBUG] Mapping field mailPrimaryAddress -> email
wekan-app | [DEBUG] Identifying user with: uid
wekan-app | [DEBUG] New user data {
wekan-app | "username": "firstname.lastname",
wekan-app | "email": "[email protected]"
wekan-app | }
wekan-app | [INFO] Syncing user data
wekan-app | [DEBUG] user {
wekan-app | "email": "[email protected]",
wekan-app | "_id": "MJgtrqoRmNXfTzfHy"
wekan-app | }
wekan-app | [INFO] Idle
wekan-app | [INFO] Disconecting
wekan-app | [INFO] Closed

I even tried:
LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"fullname", "mailPrimaryAddress":"email"}
But then I get a debug message that the field fullname is not whitelisted.

How can the fullname be synced from LDAP?
Is there a list of user attributes documented that are availble for sync?

Issue

Server Setup Information:

• Did you test in newest Wekan?: Yes
• Wekan version: v1.66
• Operating System: Ubuntu
• Deployment Method(snap/docker/sandstorm/mongodb bundle/source): Snap
• Node Version: v8.12.0

I am trying to get LDAP working for Wekan and getting the following issue.
LDAP is connected. The user sync doesn't work.

Any ideas?
Thanx!

Greetings,

Erik

I'm trying to debug LDAP connectivity, and ldapsearch works as I expect it to. However, the same configuration options always result in "Login forbidden" at the Wekan login page. I suspect it might be related to our Active Directory having sAMAccountName as the name field rather than something like uid.

In order to debug this further, I'm trying to figure out exactly what is failing, but all I can find is snap logs wekan, which doesn't seem to capture LDAP or login failure information. Is there a way to increase the amount of logging beyond simply ldap-log-enable, or is there another place to find the LDAP logs?

LDAP: unable to map avatar picture

Continuation of https://github.com/wekan/wekan/issues/1976

Hello,

I try to connect my AD with Wekan but without success.
I have connect many systems like Joomla, DokuWiki etc. but Wekan no way..

CentOS 7, SNAP lastest Version of Wekan.

So can anyone provide an useful HowTo with examples ?

Many thanks.

From @DrGraypFroot

I did a bit of testing: Imported Mongo Data from our production server into the new updated testinstance. Worked without problems. I then changed changed the layout options in the admin panel so only the ldap login option is displayed. The login didn't work right off the bat. I had to bash into the wekan-db container, go into the mongo shell and alter the authenticationMethod field from password to ldap via the cli. After that, the user could login.

If i simply change authentication method from password to ldap via the admin panel, it doesn't work. (Nothing happens when i hit "Save")

Oh, forgot to mention, this is all concerning existing users

I think the "people" tab in the admin panel doesn't work correctly

Some users have no mail address, but if i search them directly on the mongodb, the address is there. same with authentication method. on the panel, it says undefined for most users (for some it says password). but even if i change it to ldap over the cli, on the panel, it still says undefined.

So a workaround right now would be to set authenticationmethod:ldap for all users via the mongo cli

or do you have a better suggestion?

@Akuket

Do you have time to look at this?

Hello,

when I try to log in to Wekan (2.45, from snap) via LDAP, I'm lately getting the message "Login forbidden". Unfortunately I cannot tell when this started, login sessions stay valid for so long... ;)

What I observed though is an error that shows up in the JS console every time I press the login button:

4b59dd7535c2383ae1496360b6ff19fbcb0191cd.js?meteor_js_resource=true:323 Uncaught (in promise) ReferenceError: req is not defined
    at s (4b59dd7535c2383ae1496360b6ff19fbcb0191cd.js?meteor_js_resource=true:323)
    at n (4b59dd7535c2383ae1496360b6ff19fbcb0191cd.js?meteor_js_resource=true:17)
    at Generator.i [as _invoke] (4b59dd7535c2383ae1496360b6ff19fbcb0191cd.js?meteor_js_resource=true:17)
    at Generator.t.(anonymous function) [as next] (https://wekan.mydomain.com/4b59dd7535c2383ae1496360b6ff19fbcb0191cd.js?meteor_js_resource=true:17:15822)
    at n (4b59dd7535c2383ae1496360b6ff19fbcb0191cd.js?meteor_js_resource=true:17)
    at e (4b59dd7535c2383ae1496360b6ff19fbcb0191cd.js?meteor_js_resource=true:17)
    at 4b59dd7535c2383ae1496360b6ff19fbcb0191cd.js?meteor_js_resource=true:17
    at new Promise (<anonymous>)
    at n (4b59dd7535c2383ae1496360b6ff19fbcb0191cd.js?meteor_js_resource=true:17)
    at c.r [as _invoke] (4b59dd7535c2383ae1496360b6ff19fbcb0191cd.js?meteor_js_resource=true:17)

I don't see any HTTP requests going out, but that is probably because it communicates via websockets, right?

• Logging in via Password does not work either.
• There's no incoming traffic on the LDAP server.

LDAP logging config:

ldap-internal-log-level       debug
ldap-log-enabled              true

But nothing is showing up in the logs when trying to log in. The latest message is Kadira: completed instrumenting the app from startup.

Do you have any idea what could be wrong?

This doesn't seem to be the same issue as wekan/wekan#14, but correct me if I'm wrong.

We've got Wekan set up and working with LDAP auth, but importing all of the users in the user base DN doesn't seem to work:

ldap-background-sync                              true
ldap-background-sync-import-new-users             true
ldap-background-sync-interval                     100
ldap-background-sync-keep-existant-users-updated  true

Is there a way to force the sync? Logs aren't showing any attempts at syncing, although any login related log messages are there and show no errors.

We're running this on CentOS 7.5 via snapd.

Dear, I can not sync users who do not have my ActiveDirectory
Can you help me in any way?

If you need more information, let me know

Did you test in newest Wekan?: Yes

• For new Wekan install, did you configure root-url correctly Yes
• Wekan version:
• Operating System: RedHat 7
• Deployment Method(snap/docker/sandstorm/mongodb bundle/source): Snap

###Config
Key Value
caddy-enabled true
ldap-authentication true
ldap-authentication-password kasXXX@2016
ldap-authentication-userdn CN="user",OU=Usuarios-Admins,DC=x,DC=dom
ldap-basedn OU=Usuarios-Admins,DC=x,DC=dom
ldap-connect-timeout 10000
ldap-enable true
ldap-fullname-field CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=X,DC=dom
ldap-host barueri10.X.dom
ldap-internal-log-level debug
ldap-log-enable true
ldap-login-fallback true
ldap-merge-existing-users true
ldap-port 389
ldap-reconnect true
ldap-sync-user-data-fieldmap {...}
ldap-timeout 10000
ldap-username-field uid
mail-from Wekan Orizon [email protected]
mail-url smtp://smtpprod.X.local
port 80
root-url http://wekan.X.local

###Log Error
2018-11-23T13:14:44Z wekan.wekan[5577]: at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:15)
2018-11-23T13:14:44Z wekan.wekan[5577]: at Object._failIfArgumentsAreNotAllChecked (packages/check.js:127:41)
2018-11-23T13:14:44Z wekan.wekan[5577]: at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1765:18)
2018-11-23T13:14:44Z wekan.wekan[5577]: at DDP._CurrentPublicationInvocation.withValue (packages/ddp-server/livedata_server.js:1043:15)
2018-11-23T13:14:44Z wekan.wekan[5577]: at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:15)
2018-11-23T13:14:44Z wekan.wekan[5577]: at Subscription._runHandler (packages/ddp-server/livedata_server.js:1041:51)
2018-11-23T13:14:44Z wekan.wekan[5577]: at Session._startSubscription (packages/ddp-server/livedata_server.js:859:9)
2018-11-23T13:14:44Z wekan.wekan[5577]: at Session.sub (packages/ddp-server/livedata_server.js:625:12)
2018-11-23T13:14:44Z wekan.wekan[5577]: at packages/ddp-server/livedata_server.js:559:43
2018-11-23T13:14:44Z wekan.wekan[5577]: Sanitized and reported to the client as: Match failed [400]

LDAP: unable to map is admin flag

I am trying to do some development and I am currently using docker-compose to build wekan.
I find this build system very slow. Is there any other solution that developers use for local testing?
Thanks

Issue

Server Setup Information:

• Did you test in newest Wekan?: Yes
• For new Wekan install, did you configure root-url correctly https://github.com/wekan/wekan/wiki/Settings ? Yes
• Wekan version: wekan/wekan:latest (docker)
• If this is about old version of Wekan, what upgrade problem you have?:
• Operating System: Ubuntu 18.04.2 (docker host)
• Deployment Method(snap/docker/sandstorm/mongodb bundle/source): docker
• Http frontend if any (Caddy, Nginx, Apache, see config examples from Wekan GitHub wiki first): jwilder/nginx-proxy
• Node Version: (from docker image)
• MongoDB Version: 4.0
• ROOT_URL environment variable http(s)://(subdomain).example.com(/suburl): https://wekan.mydomain.com

Problem description:
LDAP login takes place, but there is an error, and the login screen continues to appear. The log shows that the LDAP authentication happened successfully but then there is an error on the login action.

There had been no issues with the LDAP part of it. It is only after the last few updates. Any help would be appreciated, as I don't want to have to rebuild without first finding out what the problem is.

Steps to reproduce

• Install wekan/wekan:latest docker image, with LDAP authentication.
• Attempt to log in.
• Login screen does not go away.
• Check stdout logs, LDAP auth happens successfully, but there is an error on login action.
• Webbrowser console displays no errors.

Docker stdout log (asterisks for privacy)

[INFO] LDAP connected 
[INFO] Binding UserDN "cn=serviceaccount,ou=Administrators,dc=mydomain,dc=com"
[INFO] Searching user "bkraul"
[DEBUG] searchOptions {
  "filter": "(&(sAMAccountName=bkraul))",
  "scope": "sub",
  "sizeLimit": 0
}
[DEBUG] BaseDN "ou=*****,ou=****,dc=mydomain,dc=com"
[INFO] Search result count 1
[INFO] Authenticating "CN=Belman Kraul,OU=IT,OU=****,OU=****,DC=mydomain,DC=com"
[INFO] Authenticated "CN=Belman Kraul,OU=IT,OU=****,OU=EPGU****sers,DC=mydomain,DC=com"
[DEBUG] Identifying user with: sAMAccountName 
[INFO] Querying user 
[DEBUG] userQuery {
  "services.ldap.id": "*******"
}
[INFO] Logging user 
[DEBUG] Updating admin status 
Exception while invoking method 'login' [object Object]

The interesting thing is that I can't copy any more lines after that line, as there are some special characters in the object...

I have tried to figure out how to get more information from that exception, but I am at a loss.

On the login page, it would be nice to disable all other methods (local, oidc..) and registration, except ldap login.

Issue

With LDAP_BACKGROUND_SYNC_INTERVAL set, wekan fails to sync

Server Setup Information:

• Wekan version: latest master 3.0.01
• Operating System: Centos 7
• Deployment Method(snap/docker/sandstorm/mongodb bundle/source): Source
• Http frontend if any (Caddy, Nginx, Apache, see config examples from Wekan GitHub wiki first):
• Node Version: 10.16.0
• MongoDB Version: 4.0

Problem description:

1. Set up LDAP auth to work properly for your environment per the doucmentation.

Also enable background sync via:

LDAP_BACKGROUND_SYNC=true
LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=true

LDAP_BACKGROUND_SYNC_INTERVAL=500

3. Start up wekan

---> error occurs:

Jul 26 19:09:31 wekan Wekan: [INFO] Enabling LDAP Background Sync
Jul 26 19:09:31 wekan Wekan: Exception in callback of async function: TypeError: str.toLowerCase is not a function
Jul 26 19:09:31 wekan Wekan: at Object.later.parse.text (/usr/local/wekan/build-0/programs/server/npm/node_modules/meteor/percolate_synced-cron/node_modules/later/later.js:1506:34)
Jul 26 19:09:31 wekan Wekan: at Object.schedule (packages/wekan-ldap/server/sync.js:436:22)
Jul 26 19:09:31 wekan Wekan: at scheduleEntry (packages/percolate_synced-cron.js:126:24)
Jul 26 19:09:31 wekan Wekan: at packages/percolate_synced-cron.js:163:7
Jul 26 19:09:31 wekan Wekan: at Function..each..forEach (packages/underscore.js:147:22)
Jul 26 19:09:31 wekan Wekan: at packages/percolate_synced-cron.js:162:7
Jul 26 19:09:31 wekan Wekan: at Object.startup (packages/meteor.js:992:5)
Jul 26 19:09:31 wekan Wekan: at Object.SyncedCron.start (packages/percolate_synced-cron.js:160:10)
Jul 26 19:09:31 wekan Wekan: at addCronJobDebounced (packages/wekan-ldap/server/sync.js:4

Hi,

Fresh install : Ubuntu 19 + Snap wekan install (v2.75.0)

When I activatesync role groups
sudo snap set wekan ldap-sync-group-roles='true' ldap-sync-admin-groups='admin'
Login fails. Error :
Exception while invoking method 'login' { stack: 'ReferenceError: Roles is not defined
I guess the line concerned is 177 in loginHandler.js :

if( groups.length > 0 ) {
        Roles.setUserRoles(user._id, groups );
        log_info(`Updated roles to:${  groups.join(',')}`);
      }

Regards

As mentioned in wekan/wekan#2152 there is a naming conflict for the getValue prototype between wekan-ldap and meteor-apm-agent.

The upcoming pull request will resolve this issue...

Hi,

a board admin of my wekan instance reported, that he cannot remove members from his board or from cards. By clicking remove the member diappears and re-appears shortly after. Though removement is logged, the member still has access to the board.

The member is authenticated via LDAP. The board admin is a local wekan user.

Server Setup Information:

• Did you test in newest Wekan?: yes
• Wekan version: 3.44 (docker)
• Operating System: debian 9.11
• Deployment Method(snap/docker/sandstorm/mongodb bundle/source): docker
• Http frontend if any (Caddy, Nginx, Apache, see config examples from Wekan GitHub wiki first): Apache
• Node Version: 8.16.1
• MongoDB Version: 3.2.21
• Wekan only works on newest desktop Firefox/Chromium/Chrome/Edge/Chromium Edge and mobile Chrome. What webbrowser version are you using? 60.9.0esr (64-Bit)

Problem description:

• REQUIRED: Add recorded animated gif about how it works currently, and screenshot mockups how it should work. Use peek to record animgif in Linux https://github.com/phw/peek

Sorry, I cannot privide an animated gif because auf data privacy.

• Explain steps how to reproduce

I tried to reproduce, but I couldn't. In my test boards (same server) removing members is possible.

• If using Docker, what does show command sudo docker logs wekan-app ? Please anonymize logs.

Please see attachment wekan bug log 2019-09-26.zip

Please let me know if you need more information.

Hi,

Problem

We're attempting to implement LDAP for our existing standalone Wekan server. Existing users have been able to create their own usernames, which almost invariably don't match their LDAP usernames.

When Wekan detects a match between LDAP username and an existing account's username, and merge existing accounts is set to true, Wekan will login the LDAP user to the matched account. There's no verification step to check that the Wekan account truly belongs to the LDAP user (e.g. a request for Wekan user's password) before committing the merge.

This is problematic as a user may have already created an account with a username that matches another user's LDAP username (improbable for most but nonetheless possible). When the LDAP user goes to login, Wekan will detect an existing account which does not belong to the LDAP user and grant access, essentially commandeering the account.

While it doesn't apply to us, other organisations may allow users to change their LDAP usernames. This would allow exploitation in a more targeted manner to take control of accounts.

Solutions

Probably the most intuitive method would be to prompt the Wekan user for their existing password before committing the account merge.

A cheaper method could be to verify the match by LDAP e-mail address, i.e. confirm the matched Wekan user has a verified e-mail address that matches the LDAP user.

I'll put together a PR for the second option when I get a chance.

Issue

Server Setup Information:

• Wekan version: 1.39 + LDAP Package (installation done as taken from https://github.com/wekan/wekan/pull/1826/files)
• Operating System: CentOS 7

Problem description:
When Self-registration is disabled, account existing the ldap, but not on Wekan (never logged-in) cannot login as an invitation-code is requested.

// models/users.js
      throw new Meteor.Error('error-invitation-code-blank', 'The invitation code is required');

@danpatdav

Can you add docs to wiki how to configure Wekan LDAP on Azure? You mentioned about Azure at wekan/wekan#2149

Hi,
i have a error with LDAP authentification when i check with the command sudo snap logs -f wekan
i can see [INFO] Ldap connected but i obtains this after:
2019-12-30T14:14:00Z wekan.wekan[7299]: [ERROR] InvalidCredentialsError: 80090308: LdapErr: DSID-0C090421, comment: AcceptSecurityContext error, data 52e, v23f0
I hope you can help me plz

Thanks,

Hi Team,

I'm doing some tests with Wekan on openshift, with LDAP Auth.

Login with a user with a single "mail" attribute works. Login with a user with multiple "mail" attributes doesn't.

Log :

[INFO] Init LDAP login "pcurie"
[WARN] Lookup for unset variable: INTERNAL_LOG_LEVEL 
[INFO] Init setup 
[INFO] Connecting "ldap://192.168.1.44:389"
[DEBUG] connectionOptions{ url: 'ldap://192.168.1.44:389',
  timeout: 10000,
  connectTimeout: 10000,
  idleTimeout: 10000,
  reconnect: true,
  log: 
   Logger {
     domain: null,
     _events: {},
     _eventsCount: 0,
     _maxListeners: undefined,
     _level: 30,
     streams: [ [Object] ],
     serializers: null,
     src: false,
     fields: 
      { name: 'ldapjs',
        component: 'client',
        hostname: 'wekan-14-b6slr',
        pid: 1 } } } 
[INFO] LDAP connected 
[INFO] Binding UserDN "uid=svc-wekan,cn=sysaccounts,cn=etc,dc=acme,dc=org"
[INFO] Searching user "pcurie"
[DEBUG] searchOptions {
  "filter": "(&(uid=pcurie))",
  "scope": "sub",
  "sizeLimit": 0
}
[DEBUG] BaseDN "cn=users,cn=accounts,dc=acme,dc=org"
[INFO] Search result count 1
[INFO] Authenticating "uid=pcurie,cn=users,cn=accounts,dc=acme,dc=org"
[INFO] Authenticated "uid=pcurie,cn=users,cn=accounts,dc=acme,dc=org"
[DEBUG] Identifying user with: uid 
[INFO] Querying user 
[DEBUG] userQuery {
  "services.ldap.id": "706175637572"
}
[DEBUG] userQuery {
  "username": "pcurie"
}
[INFO] User does not exist, creating "pcurie"
[DEBUG] Identifying user with: uid 
[DEBUG] Mapping field cn -> name 
[DEBUG] user.name changed to: Paul CURIE 
[DEBUG] Mapping field mail -> email 
[DEBUG] Identifying user with: uid 
[DEBUG] New user data {
  "username": "pcurie",
  "email": {
    "type": "Buffer",
    "data": [
      112,
      97,
      117,
      99,
      117,
      114,
      64,
      119,
      111,
      114,
      116,
      101,
      107,
      115,
      46,
      99,
      111,
      109
    ]
  }
}
[ERROR] Error creating user {
  "message": "Match error: Expected string, got object in field email",
  "path": "email",
  "sanitizedError": {
    "isClientSafe": true,
    "error": 400,
    "reason": "Match failed",
    "message": "Match failed [400]",
    "errorType": "Meteor.Error"
  },
  "errorType": "Match.Error"
}
Exception while invoking method 'login' Error: Match error: Expected string, got object in field email
    at exports.check (packages/check.js:55:15)
    at createUser (packages/accounts-password/password_server.js:1028:3)
    at AccountsServer.Accounts.createUser (packages/accounts-password/password_server.js:1123:10)
    at addLdapUser (packages/wekan:wekan-ldap/server/sync.js:277:31)
    at DDPCommon.MethodInvocation.<anonymous> (packages/wekan:wekan-ldap/server/loginHandler.js:159:18)
    at packages/accounts-base/accounts_server.js:468:32
    at tryLoginMethod (packages/accounts-base/accounts_server.js:245:14)
    at AccountsServer.Ap._runLoginHandlers (packages/accounts-base/accounts_server.js:465:18)
    at DDPCommon.MethodInvocation.methods.login (packages/accounts-base/accounts_server.js:528:27)
    at packages/check.js:128:16
    at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:15)
    at Object._failIfArgumentsAreNotAllChecked (packages/check.js:127:41)
    at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1765:18)
    at DDP._CurrentMethodInvocation.withValue (packages/ddp-server/livedata_server.js:719:19)
    at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:15)
    at DDPServer._CurrentWriteFence.withValue (packages/ddp-server/livedata_server.js:717:46)
Sanitized and reported to the client as: Match failed [400]

[INFO] Idle 
[INFO] Disconecting 
[INFO] Closed

Thank you

I am successfully using edge branch with LDAP. This is a great great work ! To push it a bit further, it would be great to have a way to map full name, is admin flag and avatar picture to LDAP fields. May be it is already achievable but how ?

It seems the following settings are possibly misspelt. This misspelling has carried over to main wekan code base as well (in the docker files, snap files etc).

      Authentication: this.constructor.settings_get('LDAP_AUTHENTIFICATION'),
      Authentication_UserDN: this.constructor.settings_get('LDAP_AUTHENTIFICATION_USERDN'),
      Authentication_Password: this.constructor.settings_get('LDAP_AUTHENTIFICATION_PASSWORD'),

wekan.help:

ldap-encryption: If using LDAPS
Current value set to: 'false', (default value: 'false')

But there's also option 'tls' for non LDAPS but StartTLS only.

Wekan uses the "username" field for email salutation ("Dear username,") and subject line ("admin sent you an invitation") and we can use "ldap-username-field" to fill it with something usefull via LDAP authentication.
As the field doesn't support spaces (will get replaced by dots) it makes most sense to use the "givenname" attribute in my opinion. Unfortunately it gets converted to lower case.

"Dear Daniel" would be a much nicer salutation than "Dear daniel". Any chance to preserve the case? Otherwise I'd recommend to use the "Full Name" within emails (this one preservce the case).

Hey guys,

I'm currently installing Wekan on Ubuntu Server 18.04 LTS and use the provided docker-compose.yml. I configured LDAP based login successfully however, I have to restrict the wekan access to selected Active Directory users. Unfortunately I did not find a comprehensive documentation on how to use the LDAP_GROUP_FILTER_GROUP_* environment variables and my settings do not work.

Snippet of relevant docker-compose.yml environment variables:

- LDAP_GROUP_FILTER_ENABLE=true
# LDAP_GROUP_FILTER_OBJECTCLASS : The object class for filtering
# example : LDAP_GROUP_FILTER_OBJECTCLASS=group
- LDAP_GROUP_FILTER_OBJECTCLASS=group
# LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE :
# example :
- LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE=cn
# LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE :
# example :
- LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE=member
# LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT :
# example :
#- LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT=
# LDAP_GROUP_FILTER_GROUP_NAME :
# example :
- LDAP_GROUP_FILTER_GROUP_NAME=wekan_user  #<-- this is a Active Directory security group

The LDAP log of my Docker container outputs the following:

wekan-app  | [INFO] Init LDAP login "ACCOUNTNAME"
wekan-app  | [INFO] Init setup                                                                   
wekan-app  | [INFO] Connecting "ldaps://DOMAINNAME.de:636"                                     
wekan-app  | [DEBUG] connectionOptions{ url: 'ldaps://DOMAINNAME.de:636',                      
wekan-app  |   timeout: 5000,                                                                    
wekan-app  |   connectTimeout: 5000,                                                             
wekan-app  |   idleTimeout: 5000,                                                                
wekan-app  |   reconnect: true,                                                                  
wekan-app  |   log:                                                                              
wekan-app  |    Logger {                                                                         
wekan-app  |      domain: null,                                                                  
wekan-app  |      _events: {},                                                                   
wekan-app  |      _eventsCount: 0,                                                               
wekan-app  |      _maxListeners: undefined,                                                      
wekan-app  |      _level: 30,                                                                    
wekan-app  |      streams: [ [Object] ],                                                         
wekan-app  |      serializers: null,                                                             
wekan-app  |      src: false,                                                                    
wekan-app  |      fields:                                                                        
wekan-app  |       { name: 'ldapjs',                                                             
wekan-app  |         component: 'client',                                                        
wekan-app  |         hostname: '8eb83e351ce6',                                                   
wekan-app  |         pid: 1 } },                                                                 
wekan-app  |   tlsOptions: { rejectUnauthorized: false } }                                       
wekan-app  | [INFO] LDAP connected                                                               
wekan-app  | [INFO] Binding UserDN "CN=wekan,OU=Serviceaccounts,DC=DOMAINNAME,DC=de"     
wekan-app  | [INFO] Searching user "ACCOUNTNAME"                                                  
wekan-app  | [DEBUG] searchOptions {                                                             
wekan-app  |   "filter": "(&(samAccountName=ACCOUNTNAME))",                                       
wekan-app  |   "scope": "sub",                                                                   
wekan-app  |   "sizeLimit": 100000,                                                              
wekan-app  |   "paged": {                                                                        
wekan-app  |     "pageSize": 100000,                                                             
wekan-app  |     "pagePause": false                                                              
wekan-app  |   }                                                                                 
wekan-app  | }                                                                                   
wekan-app  | [DEBUG] BaseDN "dc=DOMAINNAME,dc=de"                                              
wekan-app  | [INFO] Search result count 1                                                        
wekan-app  | [INFO] Authenticating "CN=ACCOUNTNAME\\, FIRSTNAME,OU=User,DC=DOMAINNAME,DC=de"                                                                              
wekan-app  | [INFO] Authenticated "CN=ACCOUNTNAME\\, FIRSTNAME,OU=User,DC=DOMAINNAME,DC=de"                                                                               
wekan-app  | [DEBUG] Group list filter LDAP: "(&(objectclass=group))"                            
wekan-app  | [ERROR] SizeLimitExceededError: Size Limit Exceeded                                 
wekan-app  | [ERROR] SizeLimitExceededError: Size Limit Exceeded                                 
wekan-app  | [INFO] Fallback to default account system:  {                                       
wekan-app  |   "username": "ACCOUNTNAME"                                                          
wekan-app  | }                                                                                   
wekan-app  | [DEBUG] Fallback options:  {                                                        
wekan-app  |   "user": {                                                                         
wekan-app  |     "username": "ACCOUNTNAME"                                                        
wekan-app  |   },                                                                                
wekan-app  |   "password": {                                                                     
wekan-app  |     "digest": "8627ffea103cc25f9fe10e3251a01cf39005ec4782b62e9bf6530d4fb443",   
wekan-app  |     "algorithm": "sha-256"      

Is there anybody who can give me an advice?

Greetings!
Patrick

Hello,
after configured docker compose when try to login get this message:
[ERROR] StrongAuthRequiredError: BindSimple: Transport encryption required.
the wrong is wekan-ladp not support server NSDC of netherserver?
when disable it from the server I get this error?
[ERROR] InvalidCredentialsError: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
and when enable TLS from file confige and add certificate get:
wekan-app | ca: wekan-app | [ '-----BEGIN CERTIFICATE-----MIIF3jCCA8agAwIBAgIC...-----END CERTIFICATE-----' ] } } wekan-app | [ERROR] connection time out 10000 wekan-app | [ERROR] Error: Timeout
so how can i debug it to get more information?is there is way to make change manully (for ldap)?
and where is the wrong?
as DSID error maybe related to
#48
#52
version:v3.64
Best Regards

Same issue as #1 but using snap instead of docker

Server Setup Information:

Wekan version: 1.82
Operating System: Ubuntu 18.04

Problem description:
When Self-registration is disabled, account existing the ldap, but not on Wekan (never logged-in) cannot login as an invitation-code is requested.

Dec 05 10:24:35 srv-wekan wekan.wekan[7379]: [ERROR] Error creating user { Dec 05 10:24:35 srv-wekan wekan.wekan[7379]: "isClientSafe": true, Dec 05 10:24:35 srv-wekan wekan.wekan[7379]: "error": "error-invitation-code-blank", Dec 05 10:24:35 srv-wekan wekan.wekan[7379]: "reason": "The invitation code is required", Dec 05 10:24:35 srv-wekan wekan.wekan[7379]: "message": "The invitation code is required [error-invitation-code-blank]", Dec 05 10:24:35 srv-wekan wekan.wekan[7379]: "errorType": "Meteor.Error"

Hi,

I'm happy to see you people added LDAP support to Wekan! Of course I tried to set it up, but I don't seem to be lucky yet. This is Wekan 1.74.1 (stable) via Snap on Arch Linux.
The current configuration is this:

ldap-basedn       ou=people,dc=DOMAIN,dc=com
ldap-ca-cert      /home/USER/ca.DOMAIN.com.crt
ldap-enable       true
ldap-encryption   ssl
ldap-host         ldap.DOMAIN.com
ldap-log-enabled  true
ldap-port         636
mail-url          smtp://smtp.DOMAIN.com:25
port              80
root-url          http://hpa.DOMAIN.com

(Replaced me and my domain with USER and DOMAIN respectively.)

With these settings, I can select LDAP from the dropdown on the Wekan login screen. If I try to log in with my otherwise working LDAP credentials "nothing happens" though. The login form stays visually the same and nothing is printed by snap logs -f wekan (which I started before trying to log in).
The LDAP server's logs don't show any connection attempts so far. I must admit I am not very familiar with snap yet. Is there somewhere else I could look for an error message?

Is there support for client-side authentication? For example, to authenticate the user you request a client's certificate. Accounts would be created if the certs are trusted (based on a configured trust store).

For additional security, Wekan can connect to LDAP, find the user based on cert info and reject access unless they are in a configured group. You never need to request a password from the user.

I have LDAP setup, but I would love to fetch their client certificate instead of asking them to provide their account credentials. This is how I've setup access in the past with Apache for other webapps.

Actually, the ldap plugin uses a single baseDN for both User and group requests.
Most LDAPs uses distincts "ou" to store users and groups, so it should be possible to specify the user root dn and the group root dn.

For instance, I would like to be able to use LDAP_USER_ROOT_DN=ou=People,dc=example,dc=com and LDAP_GROUP_ROOT_DN=ou=Groups,dc=example,dc=com

Most other tools provide this flexibility and it greatly simplify configuration and also greatly improves query performance as it is possible to reduce the query scope.

It would be great to have a way to define and mange groups in wekan. Therefore we could share boards with groups, which would be a lot easier for projects with an important team's turnover. If it could be interfaced with LDAP groups, that would be a far lot better !!

Hi,
please change from settings.json to process.env, and add Docker and Snap support.

Examples: wekan/wekan@39312a0 and wekan/wekan@c365090

I'm using the docker-compose.yml linked to from LDAP wiki page (https://github.com/wekan/wekan/wiki/LDAP)

When I attempt to login with a user that doesn't exist I don't get any error message on the page, only the following log output on the console:

wekan-app | [INFO] Init LDAP login "testuser"
wekan-app | [WARN] Lookup for unset variable: INTERNAL_LOG_LEVEL
wekan-app | [INFO] Init setup
wekan-app | [INFO] Connecting "ldap://domain.com:389"
wekan-app | [DEBUG] connectionOptions{ url: 'ldap://domain.com:389',
wekan-app | timeout: 10000,
wekan-app | connectTimeout: 10000,
wekan-app | idleTimeout: 10000,
wekan-app | reconnect: true,
wekan-app | log:
wekan-app | Logger {
wekan-app | domain: null,
wekan-app | _events: {},
wekan-app | _eventsCount: 0,
wekan-app | _maxListeners: undefined,
wekan-app | _level: 30,
wekan-app | streams: [ [Object] ],
wekan-app | serializers: null,
wekan-app | src: false,
wekan-app | fields:
wekan-app | { name: 'ldapjs',
wekan-app | component: 'client',
wekan-app | hostname: '280fdd031117',
wekan-app | pid: 1 } } }
wekan-app | [INFO] LDAP connected
wekan-app | [INFO] Binding UserDN "CN=Admin\, System,OU=Users,OU=TEST,DC=domain,DC=com"
wekan-app | [INFO] Searching user "testuser"
wekan-app | [DEBUG] searchOptions {
wekan-app | "filter": "(&(sAMAccountName=testuser))",
wekan-app | "scope": "sub",
wekan-app | "sizeLimit": 0
wekan-app | }
wekan-app | [DEBUG] BaseDN "OU=TEST,DC=domain,DC=com"
wekan-app | [INFO] Search result count 1
wekan-app | [INFO] Authenticating "CN=testuser,OU=TEST,DC=domain,DC=com"
wekan-app | [INFO] Authenticated "CN=testuser,OU=TEST,DC=domain,DC=com"
wekan-app | [DEBUG] Identifying user with: sAMAccountName
wekan-app | [INFO] Querying user
wekan-app | [DEBUG] userQuery {
wekan-app | "services.ldap.id": "4c5653514c531234567890653137"
wekan-app | }
wekan-app | [DEBUG] userQuery {
wekan-app | "username": "testuser"
wekan-app | }
wekan-app | [INFO] User does not exist, creating "testuser"
wekan-app | [DEBUG] Identifying user with: sAMAccountName
wekan-app | Exception while invoking method 'login' SyntaxError: Unexpected token m in JSON at position 14
wekan-app | at JSON.parse ()
wekan-app | at getDataToSyncUserData (packages/wekan:wekan-ldap/server/sync.js:116:27)
wekan-app | at addLdapUser (packages/wekan:wekan-ldap/server/sync.js:229:20)
wekan-app | at DDPCommon.MethodInvocation. (packages/wekan:wekan-ldap/server/loginHandler.js:159:18)
wekan-app | at packages/accounts-base/accounts_server.js:468:32
wekan-app | at tryLoginMethod (packages/accounts-base/accounts_server.js:245:14)
wekan-app | at AccountsServer.Ap._runLoginHandlers (packages/accounts-base/accounts_server.js:465:18)
wekan-app | at DDPCommon.MethodInvocation.methods.login (packages/accounts-base/accounts_server.js:528:27)
wekan-app | at packages/check.js:128:16
wekan-app | at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:15)
wekan-app | at Object._failIfArgumentsAreNotAllChecked (packages/check.js:127:41)
wekan-app | at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1765:18)
wekan-app | at DDP._CurrentMethodInvocation.withValue (packages/ddp-server/livedata_server.js:719:19)
wekan-app | at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:15)
wekan-app | at DDPServer._CurrentWriteFence.withValue (packages/ddp-server/livedata_server.js:717:46)
wekan-app | at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:15)

If I create a user in wekan with a matching corresponding LDAP user, there is no error on the page, and also no log output. I can still login using the builtin authentication method though.

Based on the following error I'm assuming that some part of the LDAP data is causing the JSON to be malformed, but i'm not sure how to get wekan to spit out the details so I can track it down:
Unexpected token m in JSON at position 14

hello,

I am having troubles with OpenLDAP, using SSL, with Wekan, in a dockerised configuration.

• LDAP connexions are working fine with wekan<=3.64
• LDAP connexions are having timeout with wekan 3.65

exactly same configuration (docker-compose.yml) is working fine with wekan<=3.64 but issuing a connexion timeout with LDAPS.

Here is logs from 3.64 and 3.65.

docker-compose.yml

version: '2'

services:
  wekandb:
    image: mongo:3.2.21
    restart: always
    command: mongod --smallfiles --oplogSize 128
    networks:
      - wekan-tier
    expose:
      - 27017

  wekan:
    # issue with LDAP/SSL with v3.65
    image: wekanteam/wekan:v3.64
    restart: always
    networks:
      - wekan-tier
    ports:
      - 8901:8080
    environment:
      - MONGO_URL=mongodb://wekandb:27017/wekan
      - ROOT_URL=https://wekan.<MY-DOMAIN>/
      - WITH_API=true
      - DEBUG=true

      - MAIL_URL=smtp://smtp.<MY-DOMAIN>:25/?ignoreTLS=true&tls={rejectUnauthorized:true}
      - MAIL_FROM=Wekan-ASAP<no-reply-wekan@asap.<MY-DOMAIN>>
      - DEFAULT_AUTHENTICATION_METHOD=ldap
      - LDAP_ENABLE=true
      - LDAP_HOST=ldap.<MY-DOMAIN>
      - LDAP_PORT=636
      - LDAP_ENCRYPTION=ssl
      - LDAP_BASEDN=<DN>
      - LDAP_LOGIN_FALLBACK=true
      - LDAP_AUTHENTIFICATION=true
      - LDAP_AUTHENTIFICATION_USERDN=<CN>
      - LDAP_AUTHENTIFICATION_PASSWORD=<PASSWD>
      - LDAP_LOG_ENABLED=true
      - LDAP_BACKGROUND_SYNC=false
      - LDAP_REJECT_UNAUTHORIZED=false
      - LDAP_USER_AUTHENTICATION_FIELD=uid
      - LDAP_USER_SEARCH_FILTER=(&(objectclass=<CUSTOM-CLASS>))
      - LDAP_USER_SEARCH_SCOPE=sub
      - LDAP_USER_SEARCH_FIELD=uid
      - LDAP_RECONNECT=true
      - LDAP_FULLNAME_FIELD=cn
      - LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mail":"email"}


networks:
  wekan-tier:
    driver: bridge

logs from wekan :

wekan 3.64 : OK
wekan_1    | [INFO] Init LDAP login "ldap.user"
wekan_1    | [WARN] Lookup for unset variable: INTERNAL_LOG_LEVEL 
wekan_1    | [WARN] Lookup for unset variable: LDAP_USER_ATTRIBUTES 
wekan_1    | [INFO] Init setup 
wekan_1    | [INFO] Connecting "ldaps://ldap.<MY-DOMAIN>:636"
wekan_1    | [DEBUG] connectionOptions{ url: 'ldaps://ldapd.<MY-DOMAIN>:636',
wekan_1    |   timeout: 10000,
wekan_1    |   connectTimeout: 10000,
wekan_1    |   idleTimeout: 10000,
wekan_1    |   reconnect: true,
wekan_1    |   log: 
wekan_1    |    Logger {
wekan_1    |      domain: null,
wekan_1    |      _events: {},
wekan_1    |      _eventsCount: 0,
wekan_1    |      _maxListeners: undefined,
wekan_1    |      _level: 30,
wekan_1    |      streams: [ [Object] ],
wekan_1    |      serializers: null,
wekan_1    |      src: false,
wekan_1    |      fields: 
wekan_1    |       { name: 'ldapjs',
wekan_1    |         component: 'client',
wekan_1    |         hostname: 'dcb023c844ab',
wekan_1    |         pid: 1 } },
wekan_1    |   tlsOptions: { rejectUnauthorized: false } } 
wekan_1    | [INFO] LDAP connected 
wekan_1    | [INFO] Binding UserDN "sn=<CN>"
wekan_1    | [INFO] Searching user "ldap.user"
wekan_1    | [DEBUG] searchOptions {
wekan_1    |   "filter": "(&(&(objectclass=<CUSTOM-CLASS>))(uid=<CN>))",
wekan_1    |   "scope": "sub",
wekan_1    |   "sizeLimit": 0
wekan_1    | }
wekan_1    | [DEBUG] BaseDN "sn=internes_si,dc=<MY-DOMAIN>"
wekan_1    | [INFO] Search result count 1
wekan_1    | [INFO] Authenticating "uidNumber=26566,...,dc=<MY-DOMAIN>"
wekan_1    | [INFO] Authenticated "uidNumber=26566,...,dc=<MY-DOMAIN>"
wekan_1    | [DEBUG] Identifying user with: uid 
wekan_1    | [INFO] Querying user 
wekan_1    | [DEBUG] userQuery {
wekan_1    |   "services.ldap.id": "...."
wekan_1    | }
wekan_1    | [INFO] Logging user 
wekan_1    | [INFO] Syncing user data 
wekan_1    | [DEBUG] user {
wekan_1    |   "_id": "...."
wekan_1    | }
wekan_1    | [DEBUG] fullname= "<CN>"
wekan_1    | [INFO] Syncing user fullname: "<CN>"

wekan 3.65 : KO
wekan_1    | [INFO] Init LDAP login "ldap.user"
wekan_1    | [WARN] Lookup for unset variable: INTERNAL_LOG_LEVEL 
wekan_1    | [WARN] Lookup for unset variable: LDAP_USER_ATTRIBUTES 
wekan_1    | [INFO] Init setup 
wekan_1    | [INFO] Connecting "ldaps://ldapd.<MY-DOMAIN>:636"
wekan_1    | [DEBUG] connectionOptions{
wekan_1    |   url: 'ldaps://ldapd.<MY-DOMAIN>:636',
wekan_1    |   timeout: 10000,
wekan_1    |   connectTimeout: 10000,
wekan_1    |   idleTimeout: 10000,
wekan_1    |   reconnect: true,
wekan_1    |   log: Logger {
wekan_1    |     _events: [Object: null prototype] {},
wekan_1    |     _eventsCount: 0,
wekan_1    |     _maxListeners: undefined,
wekan_1    |     _level: 30,
wekan_1    |     streams: [ [Object] ],
wekan_1    |     serializers: null,
wekan_1    |     src: false,
wekan_1    |     fields: {
wekan_1    |       name: 'ldapjs',
wekan_1    |       component: 'client',
wekan_1    |       hostname: '86308fe1991c',
wekan_1    |       pid: 1
wekan_1    |     }
wekan_1    |   },
wekan_1    |   tlsOptions: { rejectUnauthorized: false }
wekan_1    | } 
wekan_1    | [ERROR] connection time out 10000
wekan_1    | [ERROR] Error: Timeout 
wekan_1    | [INFO] Fallback to default account system:  {
wekan_1    |   "username": "<ldap.user>"
wekan_1    | }
wekan_1    | [DEBUG] Fallback options:  {
wekan_1    |   "user": {
wekan_1    |     "username": "<ldap.user>"
wekan_1    |   },
wekan_1    |   "password": {
wekan_1    |     "digest": "....",
wekan_1    |     "algorithm": "sha-256"
wekan_1    |   }
wekan_1    | }

I noticed an issue while trying to get LDAP logins setup. With LDAP login enabled, you get an Authentication dropdown box with "Password" and "LDAP" in it.

However, if you click the "Register" link, then from the registration page click "sign in", it brings you back to the sign in page, but the Authentication dropdown is no longer there. if you refresh to login page, it comes back.

Also, is this Authentication dropdown suppose to still show up when you have LDAP_LOGIN_FALLBACK set to false?

Wekan: v1.82 / Docker on Ubuntu 18.04 Server

If I delete the Database , Wekan creates new User with LDAP Logon.

But Wekan is running now for a while , with existing Users & lot of Boards ,
so I need to merge the existing Users & there Boards.

Merge is activated:

 -e "LDAP_MERGE_EXISTING_USERS=true" \

[INFO] User does not exist, creating "aaaa.bbbbatwekan.com"
[DEBUG] Identifying user with: mail 

[DEBUG] New user data {
  "username": "aaaa.bbbbatwekan.com",
  "email": "[email protected]"
}
[ERROR] Error creating user {
  "isClientSafe": true,
  "error": 403,
  "reason": "Email already exists.",
  "message": "Email already exists. [403]",
  "errorType": "Meteor.Error"
}

Hello. I'm trying to setup an LDAP authentification with an open-ldap, but I can't make it works. I'm trying for a while now, and it get very frustrating...

Did you test in newest Wekan?: Yes
Wekan version: latest (stable)
Operating System: Debian
Deployment Method(snap/docker/sandstorm/mongodb bundle/source): Docker
Docker version : Docker version 18.06.1-ce

Docker parameters :
- LDAP_ENABLE=true
- LDAP_PORT=389
- LDAP_HOST='ldap.imperium-gaming.fr'
- LDAP_BASEDN='ou=Users,dc=imperium-gaming,dc=fr'
- LDAP_LOGIN_FALLBACK=false
- LDAP_RECONNECT=true
- LDAP_TIMEOUT=10000
- LDAP_IDLE_TIMEOUT=10000
- LDAP_CONNECT_TIMEOUT=10000
- LDAP_AUTHENTIFICATION=true
- LDAP_AUTHENTIFICATION_USERDN='cn=xxx,dc=imperium-gaming,dc=fr'
- LDAP_AUTHENTIFICATION_PASSWORD='xxx'
- LDAP_LOG_ENABLED=true
- LDAP_INTERNAL_LOG_LEVEL='debug'
- LDAP_USER_SEARCH_SCOPE='sub'
- LDAP_USER_SEARCH_FIELD='uid'
- LDAP_GROUP_FILTER_ENABLE=false
- LDAP_UNIQUE_IDENTIFIER_FIELD='uid'
- LDAP_USERNAME_FIELD='uid'
- LDAP_MERGE_EXISTING_USERS=true
- LDAP_SYNC_USER_DATA=true
- LDAP_SYNC_USER_DATA_FIELDMAP='{"cn":"name", "mail":"email"}'
- LDAP_DEFAULT_DOMAIN=''
- LDAP_UTF8_NAMES_SLUGIFY=true

Also, my wekan-app & db are on the same docker networks than my open-ldap (which is also a docker container).
I have successfully connected my open-ldap to a gitlab, a ldap-self-service-password, teampass, dokuwiki, nextcloud, pfsense and a zabbix server.

I have successfully tested with such things :

ldapsearch -x -LLL -h ldap.imperium-gaming.fr -D cn=xxxx,dc=imperium-gaming,dc=fr -w PASSWORD -b"ou=Users,dc=imperium-gaming,dc=fr" -s sub "(objectClass=*)" givenName

ldapwhoami -H "ldap://ldap.imperium-gaming.fr:389" -D "cn=MYUSER,ou=Users,dc=imperium-gaming,dc=fr" -W && echo all is ok

And still... I can't manage to make it works. It's like i'm missing something very tiny and being blind to it...

wekan-app | [INFO] Init LDAP login "test"
wekan-app | [INFO] Init setup
wekan-app | [INFO] Connecting "ldap://'ldap.imperium-gaming.fr':389"
wekan-app | [DEBUG] connectionOptions{ url: 'ldap://'ldap.imperium-gaming.fr':389',
wekan-app | timeout: 10000,
wekan-app | connectTimeout: 10000,
wekan-app | idleTimeout: 10000,
wekan-app | reconnect: true,
wekan-app | log:
wekan-app | Logger {
wekan-app | domain: null,
wekan-app | _events: {},
wekan-app | _eventsCount: 0,
wekan-app | _maxListeners: undefined,
wekan-app | _level: 30,
wekan-app | streams: [ [Object] ],
wekan-app | serializers: null,
wekan-app | src: false,
wekan-app | fields:
wekan-app | { name: 'ldapjs',
wekan-app | component: 'client',
wekan-app | hostname: 'c1773fd56fde',
wekan-app | pid: 1 } } }
wekan-app | [ERROR] connection time out 10000
wekan-app | [ERROR] Error: Timeout

Thanks for reading, i'm waiting for hope.

Issue

Add these issues to elsewhere:

• Snap: https://github.com/wekan/wekan-snap/issues

Other Wekan issues can be added here.

Server Setup Information:

• Did you test in newest Wekan?: yep
• Wekan version: 3.57, snap installation
• Operating System: linux (debian)

Problem description:

I have a group named BoardUsers configured in my MS AD. The group filter should now check if the user is in this group or not.

I set these values as my config for the LDAP group filter;
ldap-group-filter-enable true ldap-group-filter-group-id-attribute CN ldap-group-filter-group-name BoardUsers ldap-group-filter-objectclass group

But the log states
[DEBUG] Group filter LDAP: "(&(objectClass=group))"

Is there anything I'm misunderstanding about this filter? The help site for it isn't really helping either.

Hello i have a problem with Active Directory
when i check snap logs -f wekan
i see the user try to connect
It's write LDAP Connected

But i have this message someone can help me plz
[ERROR] OperationsError: 000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0

I got this report from Stanalone Wekan Docker user:

Today I've been trying to map CN to Fullname:

LDAP_SYNC_USER_DATA_FIELDMAP={\"cn\":\"name\", \"mail\":\"email\"}

However, if I use the line as mentioned in the example (above) the login doesn't work anymore and the following is displayed in the log:

[INFO] User does not exist, creating "ehu"
[DEBUG] Identifying user with: sAMAccountName
Exception while invoking method 'login' SyntaxError: Unexpected token \ in JSON at position 1
at JSON.parse (<anonymous>)
at getDataToSyncUserData (packages/wekan:wekan-ldap/server/sync.js:116:27)
at addLdapUser (packages/wekan:wekan-ldap/server/sync.js:229:20)
at DDPCommon.MethodInvocation.<anonymous> (packages/wekan:wekan-ldap/server/loginHandler.js:159:18)
at packages/accounts-base/accounts_server.js:468:32
at tryLoginMethod (packages/accounts-base/accounts_server.js:245:14)
at AccountsServer.Ap._runLoginHandlers (packages/accounts-base/accounts_server.js:465:18)
at DDPCommon.MethodInvocation.methods.login (packages/accounts-base/accounts_server.js:528:27)
at packages/check.js:128:16
at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:15)
at Object._failIfArgumentsAreNotAllChecked (packages/check.js:127:41)
at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1765:18)
at DDP._CurrentMethodInvocation.withValue (packages/ddp-server/livedata_server.js:719:19)
at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:15)
at DDPServer._CurrentWriteFence.withValue (packages/ddp-server/livedata_server.js:717:46)
at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:15)

The only way I don't get that error is if I leave out all the backslashes, eg:

- LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mail":"email"}

but the Name doesn't get mapped.

@Akuket Can you look at this?

Server Setup Information:

• Did you test in newest Wekan?: yes
• Wekan version:2.38.0
• Operating System:centos7
• Deployment Method(snap/docker/sandstorm/mongodb bundle/source):snap
• Http frontend if any (Caddy, Nginx, Apache, see config examples from Wekan GitHub wiki first):apache
• Node Version:snap-version
• MongoDB Version:snap-version

Problem description:
I have the following configuration:

snap set wekan ldap-sync-user-data='true'
snap set wekan ldap-sync-user-data-fieldmap='{"cn":"name", "mail":"email", "initials":"initials"}'
snap set wekan ldap-sync-admin-status='true'
snap set wekan ldap-sync-admin-groups='SG_ACCES_WEKAN_ADMIN'

but the field "initials" is not updated with AD info. Error Message :
[DEBUG] user attribute not whitelisted: initials

question: is it possible to synchronize another field than name and email?
Exemple : "invitedBoards", "language" or "starredBoards"

the admin role is also not applied to the new user

I can not find any info on the use of the parameter : ldap-sync-group-roles, is it possible to explain its use?

best regards

I got this error today : [WARN] Lookup for unset variable: LDAP_FULLNAME_FIELD
Everything was functional before.

Any idea ? Thanks

Hello,

I am trying to configure wekan to connect to my LDAP server, but I am stuck on an error:

Nov 28 12:00:35 myserver.local wekan[14042]: [ERROR] TypeError: Cannot read property '0' of undefined

Did you test in newest Wekan?: Yes
Wekan version: latest (master)
Operating System: CentOS
Deployment Method: Source

Here the full output when I am trying to log in:

Nov 28 12:00:34 myserver.local wekan[14042]: [INFO] Init LDAP login "testuser"
Nov 28 12:00:34 myserver.local wekan[14042]: [WARN] Lookup for unset variable: LDAP_CA_CERT
Nov 28 12:00:34 myserver.local wekan[14042]: [WARN] Lookup for unset variable: LDAP_USER_SEARCH_FILTER
Nov 28 12:00:34 myserver.local wekan[14042]: [WARN] Lookup for unset variable: LDAP_USER_SEARCH_SCOPE
Nov 28 12:00:34 myserver.local wekan[14042]: [WARN] Lookup for unset variable: LDAP_GROUP_FILTER_OBJECTCLASS
Nov 28 12:00:34 myserver.local wekan[14042]: [WARN] Lookup for unset variable: LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE
Nov 28 12:00:34 myserver.local wekan[14042]: [WARN] Lookup for unset variable: LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE
Nov 28 12:00:34 myserver.local wekan[14042]: [WARN] Lookup for unset variable: LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT
Nov 28 12:00:34 myserver.local wekan[14042]: [WARN] Lookup for unset variable: LDAP_GROUP_FILTER_GROUP_NAME
Nov 28 12:00:34 myserver.local wekan[14042]: [INFO] Init setup
Nov 28 12:00:34 myserver.local wekan[14042]: [INFO] Connecting "ldap://192.168.X.X:389"
Nov 28 12:00:34 myserver.local wekan[14042]: [DEBUG] connectionOptions{ url: 'ldap://192.168.X.X:389',
Nov 28 12:00:34 myserver.local wekan[14042]: timeout: 15000,
Nov 28 12:00:34 myserver.local wekan[14042]: connectTimeout: 15000,
Nov 28 12:00:34 myserver.local wekan[14042]: idleTimeout: 15000,
Nov 28 12:00:34 myserver.local wekan[14042]: reconnect: true,
Nov 28 12:00:34 myserver.local wekan[14042]: log:
Nov 28 12:00:34 myserver.local wekan[14042]: Logger {
Nov 28 12:00:34 myserver.local wekan[14042]: domain: null,
Nov 28 12:00:34 myserver.local wekan[14042]: _events: {},
Nov 28 12:00:34 myserver.local wekan[14042]: _eventsCount: 0,
Nov 28 12:00:34 myserver.local wekan[14042]: _maxListeners: undefined,
Nov 28 12:00:34 myserver.local wekan[14042]: _level: 20,
Nov 28 12:00:34 myserver.local wekan[14042]: streams: [ [Object] ],
Nov 28 12:00:34 myserver.local wekan[14042]: serializers: null,
Nov 28 12:00:34 myserver.local wekan[14042]: src: false,
Nov 28 12:00:34 myserver.local wekan[14042]: fields:
Nov 28 12:00:34 myserver.local wekan[14042]: { name: 'ldapjs',
Nov 28 12:00:34 myserver.local wekan[14042]: component: 'client',
Nov 28 12:00:34 myserver.local wekan[14042]: hostname: 'myserver.local',
Nov 28 12:00:34 myserver.local wekan[14042]: pid: 14042 } } }
Nov 28 12:00:35 myserver.local wekan[14042]: [INFO] LDAP connected
Nov 28 12:00:35 myserver.local wekan[14042]: [INFO] Binding UserDN "cn=cs-wekan,ou=SERVICE-ACCOUNTS,dc=mydc,dc=local"
Nov 28 12:00:35 myserver.local wekan[14042]: {"name":"ldapjs","component":"client","hostname":"myserver.local","pid":14042,"clazz":"Client","ldap_id":"5__ldap://192.168.X.X:389","level":20,"msg":"connected after 1 attempt(s)","time":"2018-11-28T11:00:35.042Z","v":0}
Nov 28 12:00:35 myserver.local wekan[14042]: [ERROR] TypeError: Cannot read property '0' of undefined
Nov 28 12:00:36 myserver.local wekan[14042]: [INFO] Idle
Nov 28 12:00:36 myserver.local wekan[14042]: [INFO] Disconecting
Nov 28 12:00:36 myserver.local wekan[14042]: [INFO] Closed

I am using the last version (master) of:

• wekan
• wekan-ldap

I am using the following LDAP configuration:

LDAP_ENABLE=true
LDAP_PORT=389
LDAP_HOST=192.168.X.X
LDAP_BaseDN=ou=user,dc=mydc,dc=local
LDAP_ENCRYPTION=false
LDAP_LOGIN_FALLBACK=false
LDAP_RECONNECT=true
LDAP_TIMEOUT=15000
LDAP_IDLE_TIMEOUT=15000
LDAP_CONNECT_TIMEOUT=15000
LDAP_AUTHENTIFICATION=true
LDAP_AUTHENTIFICATION_USERDN=cn=cs-wekan,ou=SERVICE-ACCOUNTS,dc=mydc,dc=local
LDAP_AUTHENTIFICATION_PASSWORD=STRONGPASSWORD
LDAP_INTERNAL_LOG_LEVEL=debug
LDAP_LOG_ENABLED=true
LDAP_BACKGROUND_SYNC=true
LDAP_BACKGROUND_SYNC_INTERVAL=3600000
LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=true
LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=true
LDAP_USER_SEARCH_FIELD=upn
LDAP_SEARCH_PAGE_SIZE=0
LDAP_SEARCH_SIZE_LIMIT=1000
LDAP_GROUP_FILTER_ENABLE=true
LDAP_USERNAME_FIELD=username
LDAP_MERGE_EXISTING_USERS=true
LDAP_SYNC_USER_DATA=true
LDAP_DEFAULT_DOMAIN=mydomain.tld

Did you know the cause of this error, or a workaround?

Thanks 😄